14

Stage 7
Governance Checks

“Measure twice, cut once”
English proverb

Just because no-code allows for rapid, incremental updates does not give you a pass to ignore governance requirements. Proper technological governance is essential for maintaining security and governmental compliance at all times. The cost of skipping governance checks can have significant impacts on the business’s function — becoming noncompliant can result in fines, settlements, business disruption, productivity and revenue loss. Furthermore, the damage to a business’s reputation can be irreparable. So, as the proverb goes, “measure twice, cut once” to make sure the cut you are making is the one you want! Make sure you have thoroughly reviewed your application for governance requirements before releasing it into the wild!

Now, let’s begin by identifying and reviewing some of the more common types of governance you will encounter:

  1. External compliance. Checklists to assess compliance with external laws, guidelines, or regulations imposed by external governments, industries, and organizations.

  2. Internal compliance. Checklists imposed by internal audit teams or committees to enforce adherence to rules, regulations, and practices as defined by internal policies and access controls.

  3. Security. Checklists to protect your corporate information resources from external or internal attacks.

  4. Data governance. Checklists to assess how sensitive corporate data is managed and secured.

External Compliance

We’ll start by looking at external compliance reviews. These are reviews conducted by a designated entity to assess whether your application complies with the laws, guidelines, and regulations set by external governments, industries, and standards organizations. Usually, this will apply to applications that contain sensitive customer data, especially healthcare-related information or financial data (e.g., credit cards and bank accounts). The external auditor will usually work with someone in IT or Operations, so be sure to build time for these reviews during the Project Assignment stage.

The range of external compliance standards can be quite varied depending upon industry or geography. The following is not a complete list but provides a representative set of examples of compliance requirements that may be applicable to your application:

General Data Protection Regulation (GDPR)

If you are building an application that will be capturing and manipulating the personal contact information of European Union (EU) citizens (for example an application used by sales and marketing teams), you need your application to be approved by the Data Protection Officer.

Health Insurance Portability and Accountability Act (HIPAA)

If you are in the healthcare vertical and the application is touching patient-sensitive information, the no-code team should be working with a relevant approver who is ensuring that the appropriate data privacy and security regulations are being met.

Payment Card Industry Data Security Standard (PCI DSS)

If you are building an application that will be touching sensitive financial information like credit card data (e.g., customer case management application in financial services).

Know your customer (KYC) and antimoney laundering (AML)

If you are building an app where a financial institution will be onboarding new clients, you may be subject to regulations that require you to ensure that no monies you are receiving have come from criminal or terrorist activity. Your compliance officer will need to ensure that checks are performed to specifically verify the identity of your customers and investors together with their financial activities and any risks they may pose.

These are just some of the more common external standards or regulations that are specific to your industry. Some of these may apply at the platform or data center level (like SSAE 16) but not require being reviewed per individual application. In other cases, app-specific reviews may be required. So, it’s recommended you collaborate with IT, your IT security team, or with the CoE, if applicable, early to identify the relevant external governance checks that will be applicable to your app, when they must be performed, and begin planning early to prepare.

Internal Compliance

Internal compliance reviews develop an independent assessment of the effectiveness of an organization’s risk management, processes, and general governance. Unlike external compliance, these reviews are not mandated by an external entity or legislation. Instead, they are the organization’s own way of performing internal quality measurement and management. The goal is to collect accurate information internally about the team’s performance, governance, and risks.

Here are a few examples of internal audits you may encounter:

Management audits

IT audits

Operational audits

Security

Security and cyberattacks are increasingly becoming a board-level priority for most organizations, especially with security threats increasing because of the pandemic and the shift to hybrid work environments. Approximately 80% of security and business leaders now say their organizations have more exposure to cyber threats today as a result of remote working11. Beyond Boundaries: The Future of Cybersecurity in the New World of Work, Forrester. It’s more imperative than ever before to prioritize security reviews and take preemptive steps to protect against significant security threats.

Typically, an organization’s chief information security officer (CISO) and/or security department will have defined a standard collection of processes and technologies that work together to help strengthen a company’s overall security profile. Adherence to these standards will be assessed during a security review. A security review should be a collaborative process between the security team and the no-code team to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.

While there are well-defined security checklists for software development, such as the “OWASP Top 10” guidelines22. OWASP Top Ten, OWASP Foundation, they are not as applicable for no-code development as many of the common security mistakes can be prevented and automatically abstracted away by the no-code platform. To be clear, proper security practices must still be followed, but this is the responsibility of the no-code platform vendor. No-code platforms can significantly improve adherence to security guidelines since they enforce a more standard way of building and deploying software. They remove the opportunity for developers to accidentally write insecure code. Instead, no-code development reduces the risk of insecure apps by enforcing more consistent usage and app design patterns than traditional software development. Note that additional security reviews will be required the first time a no-code platform is implemented to validate the security profile of the platform. But subsequent use of the no-code platform to build individual apps will likely be streamlined because they will follow a consistent pattern.

However, even if the no-code platform handles some of the more common and basic security practices for you, it’s still critical to work closely with IT and, if applicable, the CoE to understand what reviews and checklists still apply and ensure early scheduling with the appropriate security team to avoid delays.

Data Governance

Data governance is the final category of governance. Data governance is a defined approach to data and information management that is formalized within an organization as a set of policies and procedures. These governance checklists encompass the full life cycle of data — from acquisition, use, and disposal. Data governance checklists are essential to control how sensitive corporate data is managed and secured. This will include considerations on data governance, access rights, quality, and managing risks around data loss.

Many organizations have recently gone through initiatives to comply with the GDPR. While this is a regulation specific to the European Union, many global companies are using it as a framework to help drive better customer data management practices.

The no-code team will typically work with data owners and the data governance group to review how your organization’s data policies will impact the app they’re building. Such reviews are typically focused on security and privacy protection, data quality, access, sharing, dissemination, and security and risk management.

Governance Considerations

Regardless of the type of governance check, there are some common considerations and best practices to keep in mind:

Properly scoping the effort

Many of the governance checks (especially internal ones) may require varying levels of effort and time commitments based on the criticality of your application. Some apps may not require many reviews while others may need significant time investment. The exact scope and necessary governance checks should be defined using the Application Matrix during the Project Assignment stage. At that point, the no-code development team should engage the required roles for each type of check. Later, when you are preparing for the initial release, the no-code team should confirm that none of your iterations included new capabilities, have impacted the Governance complexity requirements. They can do this by applying the Application Matrix to the completed MVP app (as it has iterated).

Planning ahead

Once you’ve identified the applicable governance checks, then the no-code project team (usually supported by IT or the CoE) will work with an internal audit team or external auditor to perform the review. The frequency varies: most require annual certification, but others may be dictated on a different schedule. Reviewing for governance should not be an afterthought in the development process. While the final reviews for governance may need to wait until after the app is completed (near the end of the Go-Live Phase), you should have already scheduled required reviews and started collaborating with the designated approvers during the Project Assignment stage.

Early collaboration

One of the other benefits of scheduling governance early is that it facilitates very early collaboration with the appropriate approver stakeholders (typically in IT or Ops) to anticipate and mitigate significant issues. Ideally, you should proactively be consulting with the identified Governance team from the beginning of the Go-Live Phase, so that you streamline and reduce downstream issues found later in the lifecycle.

Final Takeaways

Keeping up with the speed of the business is important but so is ensuring the proper governance of the application. Don’t move so quickly that you fail to meet security, compliance, and data governance checks. Speeding through these compliance checks could result in significant business penalties and consequences, potentially eclipsing the gains achieved through the no-code solution. While you may feel pressure from stakeholders to release the app as soon as possible, doing it without heeding governance could result in a business loss that could be painful and expensive to remediate. Don’t overlook the essential governance checks that will measure your success.

Congratulations! Now that you’ve finished your governance reviews, you’re ready to release to production! But wait, don’t forget to consider the essential final activities of a successful release that we discuss in the next chapter.